1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

HackerSafe - Is it really worth it?

Discussion in 'Security' started by wastedsunday, Sep 13, 2007.

  1. #1
    Hello,

    Nearly everyone has seen the "HackerSafe" logo plastered on tens of thousands of mainstream websites, and so I took the time to learn more about the service they offer:

    http://www.scanalert.com/site/en/security/howwescan/

    I was wondering if anyone uses their service, and if it is really worth the $1.5k or (£800ish as the sales rep said on the phone) a year? My main revenue stream is advertising, and although I do sell a few products, I doubt the logo would increase sales - this is not why I am interested. I am interested in the service if it can test and scan for vulnerabilities in my custom PHP pages, because all I see from what they offer is "port scans" and that kind of stuff. The guy said all I have to do is paste 3 lines of html on my site, and they will check my custom pages for security risks.. which sounds a bit optimistic.

    Thanks
     
    wastedsunday, Sep 13, 2007 IP
  2. chrise

    chrise Member

    Messages:
    29
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    43
    #2
    I am in the same boat, can anyone here offer some legit statistics and testimonials on sales increase with Hacker Safe. They claim all there sites see increases from 10%-30% just by having there logo on your site.

    -Chris
     
    chrise, Sep 19, 2007 IP
  3. LevelServe

    LevelServe Guest

    Messages:
    11
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #3
    Most users will just ignore it! I really don't think it realy matters.
     
    LevelServe, Sep 19, 2007 IP
  4. jkrish41

    jkrish41 Banned

    Messages:
    2,416
    Likes Received:
    111
    Best Answers:
    0
    Trophy Points:
    0
    #4
    Well, its got two things going for it.

    1. People feel they are safe using your site, knowing their information won't get exploited if they have an account with information registered with you.

    2.Hackers like challenges, so they will purposely try to hack your site, just to prove it wrong, or for a dare(money challenge)

    Personally, I just keep my security up to date, and run security checks on my own websites every now and then just to make sure everything is up to date and not exploitable.
     
    jkrish41, Sep 19, 2007 IP
  5. meetgs

    meetgs Active Member

    Messages:
    957
    Likes Received:
    35
    Best Answers:
    0
    Trophy Points:
    70
    #5
    seems like an automated process.

    the benefits will be more psychological than technological.

    it will not protect/test your custom PHP pages, as each page will have its own logic/flaws.
     
    meetgs, Sep 21, 2007 IP
    WebGeek182 likes this.
  6. pc_user

    pc_user Notable Member

    Messages:
    1,891
    Likes Received:
    94
    Best Answers:
    0
    Trophy Points:
    235
    #6
    I would like to see some stats.
     
    pc_user, Sep 23, 2007 IP
  7. bubbles19518

    bubbles19518 Peon

    Messages:
    73
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #7
    HackerSafe type sites don't provide any real protection. The only types of vulns they check for have to do with outdated apache mods and stuff like that, which if your host keeps your server up to date, you shouldn't have a problem.

    They don't scan for SQL injections/XSS/CSRF attacks, which is how most hackers will choose to own your site.

    That being said it does provide a psychological benefit because when someone goes to your site and sees a hackesafe button that supposedly checks the site for "1337 h4x0rs" and the most recent scan was today. They feel safer about buying something from your site.

    Instead of buying their service I just made my own button. I save myself the money, and I still get all the benefits.
     
    bubbles19518, Sep 23, 2007 IP
  8. craigedmonds

    craigedmonds Notable Member

    Messages:
    703
    Likes Received:
    131
    Best Answers:
    0
    Trophy Points:
    235
    #8
    They scan for much much more than that and I think you all misunderstand what scan alert does and what the hackersafe seal signifies.

    Its not just the logo.

    I subscribe to hacker safe and its probably one of the best security analysis tools I have used so far.

    A little expensive yes at $1800 per year to scan 3 devices but worth its weight in gold for uncovering vulnerabilities. (prevention is always better than a cure)

    When you have a scan alert account, you add your web sites for scanning and they basically run hack simulations on your server and i tell you that they reveal very very interesting information.

    When a series of tests are run, they inform you by email of any vulnerabilities and if you pass the tests the site seal appears on your site which of course is additional assurance to visitors to your site.

    The tests they run conform to Visa PCI compliance meaning that if you can pass their tests then your server is considered as secure as it can be.

    I was a bit dubious about it all first, but its a first class service.
     
    craigedmonds, Sep 24, 2007 IP
  9. bubbles19518

    bubbles19518 Peon

    Messages:
    73
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #9
    I understand perfectly what it does....

    "Over 75,000 sites protecting you from identity theft and credit card fraud"

    That is a direct quote from an image off the index page of their site, http://scanalert.com

    They scan for vulnerabilities that exploit out dated versions of software and DOS attacks and stuff like that. They ARE useful for finding these vulnerabilities but you could save yourself $1800 and just keep your server up to date and download the latest patches for the stuff you run.

    If your going to commit identity theft or steal credit cards, you are going to use a combination of SQL Injections/XSS/CSRF, which they DO NOT scan for.

    Look at this thread:
    http://sla.ckers.org/forum/read.php?3,2662

    Its over 3 pages of XSS vulns in "hackersafe" sites. These vulnerabilities can be used to create fake login screens and steal users information. Thats just XSS, nobody even touched on the SQL/CSRF vulns that most likely reside in the same sites.
     
    bubbles19518, Sep 25, 2007 IP
  10. craigedmonds

    craigedmonds Notable Member

    Messages:
    703
    Likes Received:
    131
    Best Answers:
    0
    Trophy Points:
    235
    #10
    Thats strange because my scan alert account scans for sql injection plus a multitude of different similar hacks. (the list is pretty flipping long actually, my scan alert report goes into about 150 pages listing all the different tests)

    I know this becasue I hired a young wippersnapper programmer to make some login pages and scanalert sent me an email a few hours later telling me about it and then it was fixed of course. (and the programmer beaten with his keyboard)

    I am not saying that scanalert is the be all and end all of site security, its not by a long shot, and any techie who relies solely on scanalert is an idiot, its basically a tool used for professionals who dont have the time to run thousands of hack simulations on the thousands of pages on their sites.

    its the same way a carpenter has his nail, hammers, pliers and screwdriver to make a cabinet, scan alert is a tool in the security toolbox.

    Any serious setup should consist of multiple managed firewalls with intrusion detection and auto blocking features for certain requests that fall outside of a normal request.
     
    craigedmonds, Sep 25, 2007 IP
  11. Ladadadada

    Ladadadada Peon

    Messages:
    382
    Likes Received:
    36
    Best Answers:
    0
    Trophy Points:
    0
    #11
    Part of my job is scanning third party sites my company wants to do business with (with their permission, of course) for security vulnerabilities. I use a combination of tools including nmap, Nessus and Watchfire Appscan.

    I have recently scanned a site that proudly displayed it's HackerSafe sticker and while it was better than many sites I have seen it wasn't completely bulletproof. I was able to find XSS vulnerabilities and a lengthy series of information disclosure issues. (Not credit card information, but information that would help a hacker in finding an exploit)

    I know that a proper scan will take several hours and some scans can take days. It depends heavily on the site and the hosting hardware. Once the scan is done, it needs a human to go through the report and verify which issues are real problems and which ones are just the software finding false positives.

    As for your question, AppScan costs upwards of £20,000 for a single license and a security expert to interpret AppScan's results would cost much more than that... so £800 per year is not very much in comparison. However, for £800 per year, you aren't getting the same value as £30,000 per year would get you.

    The next few questions to ask are:

    Will the HackerSafe sticker bring in any extra business from customers who are now more confident in your site ?

    What would the cost of a breach of security be ?

    How would you handle a breach in security, with or without a HackerSafe sticker ?
     
    Ladadadada, Oct 5, 2007 IP
  12. Konshu

    Konshu Peon

    Messages:
    5
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #12
    I wouldn't bother with HackerSafe. I have personally witnessed Carts get nailed with SQL injection that had a HackerSafe logo on it.
     
    Konshu, Oct 6, 2007 IP
  13. roosevelt

    roosevelt Active Member

    Messages:
    73
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    91
    #13
    Yep don't bother with it. I too contacted hackersafe before putting my business online and the whole idea of a thousand buck just doesn't seem worth it. What you need to know is keep your hardwares updated, and contact a professional to check your website/server every month or two.

    The whole boosting sale is just to get consumers.
     
    roosevelt, Oct 7, 2007 IP
  14. zebulon

    zebulon Well-Known Member

    Messages:
    198
    Likes Received:
    13
    Best Answers:
    0
    Trophy Points:
    130
    #14
    I doubt it is worth it. The best and cheap method is to install Mod Security and have it track/log/suspend in real time/monitor everything including administrator actions on ssh.

    If you are using a popular web script, be sure the hackers are downloading it and searching for RFI's, LFI's, SQL Inject's., XSS, Cookie Poisoning, Kernal o/f's and more. Just stay current with patches, and check out the vendor's forum to see if any security issues have came up.

    I can offer to pen test your scripts for RFI's, SQL inject's and XSS, but it is really un needed, just make your daily backups and let Mod Security do the rest.
     
    zebulon, Oct 8, 2007 IP
  15. craigedmonds

    craigedmonds Notable Member

    Messages:
    703
    Likes Received:
    131
    Best Answers:
    0
    Trophy Points:
    235
    #15
    Maybe....those sites have fake hacker safe logos?
     
    craigedmonds, Oct 10, 2007 IP
  16. bubbles19518

    bubbles19518 Peon

    Messages:
    73
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #16
    That was the point I was trying to make earlier... You CAN'T scan for XSS/CSRF/SQL Injection Vulnerabilities. The ones worth exploiting require a human to look at the code and write an exploit SPECIFICALLY for that code. The way MOST hackers are going to own your site is via one of those three methods. Nobody exploits the vulns that hackersafe scans for and as long as you patch everything when patches are released you'll be fine anyway. Therefore, its a waste of money.

    Create your own hackersafe site, make up your own button, and watch your sales increase just as much as they would have if you had paid $2000.
     
    bubbles19518, Oct 16, 2007 IP
  17. craigedmonds

    craigedmonds Notable Member

    Messages:
    703
    Likes Received:
    131
    Best Answers:
    0
    Trophy Points:
    235
    #17
    I am not trying to be biaised here whatsoever and for some hackersafe is just not their thing but I have a hackersafe account and it certainly does check for cross site scripting and sql injection vulnerabilities.

    I dont understand why everyone is saying that it doesnt.
     
    craigedmonds, Oct 16, 2007 IP
  18. Ladadadada

    Ladadadada Peon

    Messages:
    382
    Likes Received:
    36
    Best Answers:
    0
    Trophy Points:
    0
    #18
    I'm going to have to disagree with you there. I use Watchfire's AppScan at work and it does scan for XSS, CSRF and SQL injection. It even has a method for determining whether you have a blind SQL injection based on several different requests with values that are functionally equivalent on SQL but are actually different strings.

    The blind SQL injection scanning is susceptible to false positives and any site with rewrite rules directing everything to a front controller is going to set off just about every test it has because often it only looks for a 200 response code. But false negatives are infinitely worse than false positives and it really doesn't get all that many of them. Overall, AppScan is a great product. If you have a vulnerability in your site, it will most probably find it.

    Yesterday, it found a credential enumeration on a site that was a false positive. It was using the wrong parameter as the username... yet when I tried with the correct username parameter, the credential enumeration was still there.

    The trouble with Hackersafe is that AppScan on a typical run does somewhere between 20,000 and 150,000 tests. This will take (depending on the speed of the site) between 2 hours and 2 days and will cause an enourmous number of extra requests to the website and often (because they're strange looking requests) a lot of extra load. I have to contact any site I'm going to scan, warn them in advance, check when the best time to scan is and monitor their site to make sure I don't take it down. I did actually take a site down once, because I filled their HD with log files.

    Hackersafe can't possibly do a scan anywhere near that thoroughly if they're going to do it every day. They do perform a useful service, but the question is really "is the service they provide worth what they are asking for it ?" I would rather a service that did a weekly scan during my quietest period that was much more thorough.

    Of course, the best value for money after your first comprehensive scan is to hire a security-conscious PHP coder and/or a security conscious sysadmin.
     
    Ladadadada, Oct 17, 2007 IP
    craigedmonds likes this.
  19. bubbles19518

    bubbles19518 Peon

    Messages:
    73
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #19
    I think they scan for the general ones. I don't know maybe they don't. Can you post an example requested URL from the logs?

    All I meant was that most web based exploits are unique, and can't be scanned for. Just look at this:

    http://ha.ckers.org/xss.html

    Its a gazillion different ways to include XSS on a site, and its only a starting point. You edit that code to suite the specific needs of the sites you are exploiting.
     
    bubbles19518, Oct 17, 2007 IP
  20. lowridertj

    lowridertj Well-Known Member

    Messages:
    2,882
    Likes Received:
    40
    Best Answers:
    0
    Trophy Points:
    195
    #20
    I can say that scanalert is a decent buy and has helped to increase my sales in average of 20-30% over the last 2 months Ive had it on one of my sites.

    When they scan so long as the alerts are minor you will pass and stay green (there go no go way of things)

    You are notified of the problem found and a way to fix it. It is up to the webmaster to fix the problem small or large in size to make sure any possible way , or form of hacking can be stopped.

    Far as above mentioning of sites that have been shown as hacker safe and there carts getting nailed. Sorry like I said its up to the webmaster of that site not to ignore even small threats.
     
    lowridertj, Oct 17, 2007 IP